1 / 75

Web Browser Security

Spring 2006. CS 155. Web Browser Security. John Mitchell. Course Schedule. Projects Proj 1: Assigned April 11, Due April 27 Proj 2: Assigned May 2, Due May 18 Proj 3: Assigned May 18, Due June 8 No Late Days Homework HW 1: Assigned April 20, Due May 4

herman
Télécharger la présentation

Web Browser Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spring 2006 CS 155 Web Browser Security John Mitchell

  2. Course Schedule • Projects • Proj 1: Assigned April 11, Due April 27 • Proj 2: Assigned May 2, Due May 18 • Proj 3: Assigned May 18, Due June 8 No Late Days • Homework • HW 1: Assigned April 20, Due May 4 • HW 2: Assigned May 11, Due May 25 • HW 3: no HW3 this year

  3. Outline • Browser review • Bugs happen • HTTP, scripts, events, DOM • Session state and cookies • Protecting the browser environment • Execution sandbox • Access policies, signed scripts • Privacy and confidentiality for sensitive information • Protecting the file system, OS, platform • Protecting information associated with other browser processes (e.g., other windows) • Protecting the user against deception • Protecting against traffic analysis

  4. Browser and Network Network • Browser sends requests • May reveal private information (in forms, cookies) • Browser receives information, code • May corrupt state by running unsafe code • Interaction susceptible to network attacks • Consider network security later in the course request Browser Web site reply OS Hardware

  5. Tuesday, February 12, 2002 • Microsoft Issues New IE Browser Security PatchBy Richard Karpinski • Microsoft has released a security patch that closes some major holes in its Internet Explorer browser • The so-called "cumulative patch" fixes six different IE problems ... • Affected browsers include Internet Explorer 5.01, 5.5 and 6.0. • Microsoft rated the potential security breaches as "critical."

  6. Feb 2002 patch addresses: • Abuffer overrun associated with an HTML directive ... Hackers could use this breach to run malicious code on a user's system. • A scripting vulnerability that would let an attacker read files on a user's systems. • A vulnerability related to the display of file names ... Hackers could … misrepresent the name of a file ... and trick a user into downloading an unsafe file. • A vulnerability that would allow a Web page to improperly invoke an application installed on a user's system to open a file on a Web site. • … more … MS announced 20 vulnerabilities on April 13, 2004 !!!

  7. And then again last year, … Windows Security Updates Summary for April 2005 Published: April 12, 2005 A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

  8. Microsoft Security Bulletin MS06-013, April 2006

  9. Browser security topics • Review HTTP, scripting • Controlling outgoing information • Cookies • Cookie mechanism, JunkBuster • Routing privacy • Anonymizer, Crowds • Privacy policy – P3P • Risks from incoming executable code • JavaScript • ActiveX • Plug-ins • Java

  10. HTTP HyperText Transfer Protocol • Used to request and return data • Methods: GET, POST, HEAD, … • Stateless request/response protocol • Each request is independent of previous requests • Statelessness has a significant impact on design and implementation of applications • Evolution • HTTP 1.0: simple • HTTP 1.1: more complex

  11. HTTP Request Method File HTTP version Headers GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT Blank line Data – none for GET

  12. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Data

  13. HTTP Server Status Codes • Return code 401 • Used to indicate HTTP authorization • HTTP authorization has serious problems!!!

  14. HTML and Scripting <html> … <P> <script> var num1, num2, sum num1 = prompt("Enter first number") num2 = prompt("Enter second number") sum = parseInt(num1) + parseInt(num2) alert("Sum = " + sum) </script> … </html> Browser receives content, displays HTML and executes scripts

  15. Events Mouse event causes page-defined function to be called <script type="text/javascript"> function whichButton(event) { if (event.button==1) { alert("You clicked the left mouse button!") } else { alert("You clicked the right mouse button!") }} </script> … <body onmousedown="whichButton(event)"> … </body> Other events: onLoad, onMouseMove, onKeyPress, onUnLoad

  16. Document object model (DOM) • Object-oriented interface used to read and write documents • web page in HTML is structured data • DOM provides representation of this hierarchy • Examples • Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] • Methods: document.write(document.referrer) • Also Browser Object Model (BOM) • Window, Document, Frames[], History, Location, Navigator (type and version of browser)

  17. Need for session state www.e_buy.com www.e_buy.com/ shopping.cfm? pID=269& item1=102030405 View Catalog Select Item Check out www.e_buy.com/ shopping.cfm? pID=269 www.e_buy.com/ checkout.cfm? pID=269& item1=102030405 Store session information in URL; Easily read on network

  18. Store info across sessions? • Cookies • A cookie is a file created by an Internet site to store information on your computer Enters form data Server Browser Stores cookie Requests cookie Server Browser Returns data Http is stateless protocol; cookies add state

  19. Cookie • A named string stored by the browser • Accessible as property of the Document object • Can be read and written entirely on client side using Javascript • Accessibility • persists for the duration of the browser session (but an expiration date may be given) • is associated with the subtree of the document that created it (but a cookie path may be specified) • is accessible to pages on the server that created it (but a cookie domain may be declared)

  20. Browser security risks • Compromise host • Write to file system • Interfere with other processes in browser environment • Steal information • Read file system • Read information associated with other browser processes (e.g., other windows) • Fool the user • Reveal information through traffic analysis

  21. Browser sandbox • Idea • Code executed in browser has only restricted access to OS, network, and browser data structures • Isolation • Similar to OS process isolation, conceptually • Browser is a “weak” OS • Same-origin principle • Browser “process” consists of related pages and the site they come from

  22. Same-Origin Principle • Basic idea • Only the site that stores some information in the browser may later read or modify that information (or depend on it in any way). • Details • What is a “site”? • URL, domain, pages from same site … ? • What is “information”? • cookies, document object, cache, … ? • Default only: users can set other policies • No way to keep sites from sharing information

  23. Java • General programming language • Web pages may contain Java code • Java executed by Java Virtual Machine • Special security measures associated with Java code from remote URLs • Javascript, other security models are based on Java security model

  24. Java Applet • Local window • Download • Seat map • Airline data • Local data • User profile • Credit card • Transmission • Select seat • Encrypted msg

  25. Mobile code security mechanisms • Examine code before executing • Java bytecode verifier performs critical tests • Interpret code and trap risky operations • Java bytecode interpreter does run-time tests • Security manager applies local access policy • Security manager policy based on • Site that suppplied the code • Code signing – who signed it?

  26. Java Virtual Machine Architecture A.java A.class Java Compiler Compile source code Java Virtual Machine Loader Network B.class Verifier Linker Bytecode Interpreter

  27. Class loader • Runtime system loads classes as needed • When class is referenced, loader searches for file of compiled bytecode instructions • Default loading mechanism can be replaced • Define alternate ClassLoader object • Extend the abstract ClassLoader class and implementation • Can obtain bytecode from network • VM restricts applet communication to site that supplied applet

  28. Verifier • Bytecode may not come from standard compiler • Evil hacker may write dangerous bytecode • Verifier checks correctness of bytecode • Every instruction must have a valid operation code • Every branch instruction must branch to the start of some other instruction, not middle of instruction • Every method must have a structurally correct signature • Every instruction obeys the Java type discipline Last condition is fairly complicated .

  29. Type Safety of JVM • Load-time type checking • Run-time type checking • All casts are checked to make sure type safe • All array references are checked to be within bounds • References are tested to be not null before dereference • Additional features • Automatic garbage collection • NO pointer arithmetic If program accesses memory, the memory is allocated to the program and declared with correct type

  30. How do we know verifier is correct? • Many early attacks based on verifier errors • Formal studies prove correctness • Abadi and Stata • Freund and Mitchell • Found error in initialize-before-use analysis

  31. JVM uses stack machine • Java Class A extends Object { int i void f(int val) { i = val + 1;} } • Bytecode Method void f(int) aload 0 ; object ref this iload 1 ; int val iconst 1 iadd ; add val +1 putfield #4 <Field int i> return JVM Activation Record local variables operandstack Return addr, exception info, Const pool res. data area • refers to const pool

  32. Java Object Initialization • No easy pattern to match. • Multiple refs to same uninitialized object.

  33. Bug in Sun’s JDK 1.1.4 • Example: variables 1 and 2 contain references to two different objects, verifier thinks they are aliases

  34. Security Manager • Java library functions call security manager • Security manager object answers at run time • Decide if calling code is allowed to do operation • Examine protection domain of calling class • Signer: organization that signed code before loading • Location: URL where the Java classes came from • Uses the system policy to decide access permission

  35. Stack Inspection • Permission depends on • Permission of calling method • Permission of all methods above it on stack • Up to method that is trusted and asserts this trust Many details omitted method f method g method h java.io.FileInputStream • Stories: Netscape font / passwd bug; Shockwave plug-in

  36. ActiveX • ActiveX controls reside on client's machine, activated by HTML object tag on the page • ActiveX controls are not interpreted by browser • Compiled binaries executed by client OS • Controls can be downloaded and installed • Security model relies on three components • Digital signatures to verify source of binary • IE policy can reject controls from network zones • Controls marked by author as safe for initialization, safe for scripting which affects the way control used Once accepted, installed and started, no control over execution

  37. Installing Controls If you install and run, no further control over the code. In principle, browser/OS could apply sandboxing, other techniques for containing risks in native code. But don’t count on it.

  38. Risks associated with controls • MSDN Warning • An ActiveX control can be an extremely insecure way to provide a feature • Why? • A COM object, control can do any user action • read and write Windows registry • access the local file system • Other web pages can attack a control • Once installed, control can be accessed by any page • Page only needs to know class identifier (CLSID) • Recommendation: use other means if possible http://msdn.microsoft.com/library/default.asp?url=/code/list/ie.asp

  39. IE Browser Helper Objects (Extensions) • COM components loaded when IE starts up • Run in same memory context as the browser • Perform any action on IE windows and modules • Detect browser events • GoBack, GoForward, and DocumentComplete • Access browser menu, toolbar and make changes • Create windows to display additional information • Install hooks to monitor messages and actions • Summary: No protection from extensions http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp

  40. JavaScript • Executed by browser • Used in many attacks (to exploit other vulnerabilities) • Cookie attack from earlier slide (08 Nov 2001): With the assistance of some JavaScript code, an attacker could construct a Web page or HTML-based e-mail that could access any cookie in the browser's memory or those stored on disk ... • JavaScript runs • Before the HTML is loaded, before the document is viewed • While the document is viewed, or as the browser is leaving

  41. Javascript Security Model • “Sandbox” design (at least conceptually) • No direct file access or network access • Same-origin policy • Can only read properties of documents and windows from same place: server, protocol, port • Access control with signed scripts • User can grant privileges to signed scripts • UniversalBrowserRead/Write • UniversalFileread, • UniversalSendMail Reference: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/

  42. Examples, assuming www.example.com Same-origin check applies to access to window object of other frames, etc.

  43. Same-origin check • Example Javascript var w = window.open(http://www.google.com);// After 10 seconds, see what URL they're looking atvar snoopedURL;setTimeout("snoopedURL = w.location.href)", 10 * 1000); • What should this do? • Succeed if loaded from www.google.com, or origin of whatever page is being viewed • Fail otherwise? Some browsers don’t fail • Script on page can reset domain • To more general domain than actual source of page • Allows other scripts to access that document properties without violating the same-origin policy

  44. Problems with S-O Principle • Poorly enforced on some browsers • Particularly older browsers • Limitations if site hosts unrelated pages • Example: Web server often hosts sites for unrelated parties • http://www.example.com/account/ • http://www.example.com/otheraccount/ • Same-origin policy, allows script on one page to access properties of document from another • Finer grained control using signed scripts • See article for more info

  45. LiveConnect • Netscape-supported interaction between Java applets, plugins, and JavaScript • JavaObject is a JavaScript wrapper on Java object • JSObject is a Java on a JavaScript object • Question • What kind of same-origin policy do we get here?

  46. Browser Cookie Management • Cookie Same-origin ownership • Once a cookie is saved on your computer, only the Web site that created the cookie can read it. • Variations • Temporary cookies • Stored until you quit your browser • Persistent cookies • Remain until deleted or expire • Third-party cookies • Originates on or sent to a web site other than the one that provided the current page

  47. Third-party cookies • Get a page from merchant.com • Contains <img src=http://doubleclick.com/advt.gif> • Image fetched from DoubleClick.com • DoubleClick knows IP address and page you were looking at • DoubleClick sends back a suitable advertisement • Stores a cookie that identifies "you" at DoubleClick • Next time you get page with a doubleclick.com image • Your DoubleClick cookie is sent back to DoubleClick • DoubleClick could maintain the set of sites you viewed • Send back targeted advertising (and a new cookie) • Cooperating sites • Can pass information to DoubleClick in URL, …

  48. Example: Mortgage Center <html><title> Mortgage Center </title><body> … http://www.loanweb.com/ad.asp?RLID=0b70at1ep0k9 What’s this?

More Related